Updated December 18, 2017 (originally published October 26, 2017)Updated December 18, 2017

Reaper: The Professional Bot Herder’s Thingbot

blog

6 min. read

By David Holmes, Justin Shattuck

This isn’t your mama’s botnet. This is a proper botnet. If you were the world’s best IoT botnet builder and you wanted to show the world how well-crafted an IoT botnet could be, Reaper is what you’d build. It hasn’t been seen attacking anyone yet, and that is part of its charm. But, what is it doing? We’ve got some ideas.

Oct 31, 2017 Update

The intentions of Reaper are as unclear today as they were a week ago. We hold to our position that the interesting aspect of Reaper is not its current size, but its engineering, and therefore its potential.

From a pure research perspective, we’re interested in how Reaper is spreading. Instead of targeting weak auth like a common thingbot, Reaper weaponizes nine (and counting) different IoT vulnerabilities.

We think the current media focus on “the numbers” instead of the method is a tad myopic. See the next “update” section below for our clarification.

What’s in a Name?

The good people at 360’s Network Security Research Lab (“Netlab 360”) have been monitoring this thingbot the longest, and they named it IoT_reaper.1 They sort of sat on the story for a while, watching Reaper evolve. Not long afterward, Check Point Software Technologies discovered it and named it IOTroop, but Brian Krebs’ article2 has given the original moniker some momentum. So, let’s go with Reaper for now.

Size and Position

Krebs puts the current size of Reaper at over one million IoT devices. We have data that suggests it could include over 3.5 million devices and could be capable of growing by nearly 85,000 devices per day. The reason Reaper has gotten so big and, honestly, the reason we’re so impressed with its construction is that, unlike its predecessors, Mirai and Persirai, Reaper uses multiple attack vectors. Mirai used default passwords. Persirai used the blank username + password combo, which frankly is such a doofus security error on the part of the manufacturer that we feel it barely deserves to have a CVE.

Reaper is almost showing off by not even trying the password cracking, and instead just exploiting different vulnerabilities (RCEs, web shells, etc.) in nine different IoT vendor devices.

Oct 31, 2017 Update (continued)

Reports on the “size” of Reaper vary. We’ve scanned 750,000 unique devices that match the nine vulnerabilities currently exploited by Reaper. We regularly scan 85,000 new, “Reaper-compatible” devices per day. We don’t know which of them are actually infected, but there’s no reason that Reaper itself couldn’t infect them, unless its authors didn’t want it to.

The nine vulnerabilities currently used by Reaper are fairly rudimentary, as vulnerabilities go. If the thingbot authors were to include a few dozen existing vulnerabilities that fit Reaper’s device-targeting profile, we think they could grow the thingbot by an additional 2.75 million nodes. If they wanted to. Adding that 2.75 million to the 750,000 that are currently “Reaper-compatible” gives the number 3.5 million.

Note: We will not be disclosing the additional CVEs as that would simply expedite the authors’ exploits.

The actual size of Reaper is probably limited to whatever size its authors want it to be.

Right now it feels like its authors are experimenting. Building and testing. Maybe Reaper is pure research. We don’t know, and that’s kind of why we respect it.

Reaper Has Better IoT Security

Unlike many of the devices that it infects, Reaper has an update mechanism. How impressive is that? If it weren’t malicious, it might qualify to meet the standards of the new “Internet of Things (IoT) Cybersecurity Improvement Act of 2017” federal requirements. Heck, the authors could even make a distribution out of it and it could become the default remote management platform for IoT.

Is It Malicious?

So far, Reaper hasn’t been seen attacking anyone with massive volumetric DDoS attacks. Yes, that’s a good thing. At least one of us thinks it might never be seen attacking anyone. If Reaper were to start being used as the ultimate Death Star weapon, that would cheapen its value. It would also result in active takedown campaigns.

Remember how at least two strike-back bots were created to combat Mirai after it attacked Krebs, OVH, and Dyn? Brickerbot actively wiped the filesystems of infected IoT devices (in many cases, turning them into little more than bricks). Hajime was more polite and merely blocked ports and left a cute little note informing the device owner that their device was participating in attacks and please stahp!

If Reaper starts attacking people with DDoS, it will turn from a marvel of thingbot infrastructure engineering into—yawn—another volumetric attack tool. The bot herders would be hunted down by law enforcement (à la the Mirai case3) and the bot would be disassembled.

What Is It Doing?

Right now, Reaper is an object lesson for IoT manufacturers and security researchers. It’s like a giant blinking red light in our faces every day warning us that we’d better figure out how to fix IoT security soon.4

Figure 1: F5’s depiction of Persirai—the mother of Reaper?

Figure 1: F5’s depiction of Persirai—the mother of Reaper?

We’ve been monitoring the Persirai botnet for the last six months. We regularly measured Persirai at 750,000 IP cameras. Persirai was never seen attacking anyone, either, and we speculated about what it could be doing.

Since Reaper is also composed of many digital video devices, we could speculate this: What if both Persirai and Reaper are actually surveillance networks?

Think of the intel you could gather with access to millions of video cameras. Nation-states with active intelligence programs would be drooling all over themselves to get access to that data. The US, China, Russia, and North Korea are all obvious suspects because who else but a nation-state could process or store all the input?

If Reaper doesn’t attack anyone or give away its intentions, it may enter the same mythical space occupied by the Conficker worm of the late 2000s. At its peak, Conficker infected over 10 million5 Windows computers and caused great concern because it could have done an insane amount of damage. But it was never activated, and it remains a study in bot construction.

The obvious lesson is that the state of IoT security is still incredibly poor, and we need to do a better job of threat modeling6 the Internet7 of8Things9.

Subscribe and get threat intelligence updates from security leaders with decades of experience

Develop a richer understanding of your security environment with only one email per week.

Always have the latest security research and analysis at your fingertips.

Strategic insights from CISO-level experts give you deeper analysis than your peers who only rely on threat reports.

Great! You should receive your first email shortly.

Unsubscribe at any time. We will never use your email to sell to you or try to get you to use our product. You'll only receive security reports and analysis.

About the author

David Holmes

David Holmes is a researcher and evangelist for F5 Networks, with emphasis on cryptography, distributed denial of service attacks, and the Internet of Things. He has spoken at over 50 conferences such as RSA, RSA Europe, InfoSec and Gartner Data Center. Holmes researches and writes on global cryptography trends, DDoS, IoT and blockchain. He has also written for industry magazines such as SCMagazine and the Network World. Holmes writes regularly about vulnerabilities, technical solutions and the security industry for SecurityWeek.com and F5 Labs.

Justin Shattuck is a Principal Threat Researcher for F5 Labs. He has been an avid threat hunter for most of his life and continually tracks attack campaigns and threat actors. He routinely participates in takedowns and helps to inform various law enforcement agencies of nefarious cyber activity. Justin has been a security product developer and researcher for over 15 years. Most recently he was the Manager of Product Development for F5 Silverline where he was responsible for developing features and enhancements to F5 Silverline's managed security services including Web Application Firewall and DDoS attack mitigation.

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.

image/svg+xml

Subscribe and get threat intelligence updates from security leaders with decades of experience

Develop a richer understanding of your security environment with only one email per week.

Always have the latest security research and analysis at your fingertips.

Strategic insights from CISO-level experts give you deeper analysis than your peers who only rely on threat reports.

Subscribe and get threat intelligence updates from security leaders with decades of experience

Unsubscribe at any time. We will never use your email to sell to you or try to get you to use our product. You'll only receive security reports and analysis.